Facebook on Friday offered a bit of good news about the massive data breach that it first revealed Sept. 28—followed by a lot of bad news.

The good news is, the number of users whose accounts were hacked was 30 million, down from Facebook’s original estimate of 50 million. Facebook also now says that it believes users’ accounts on Instagram, Oculus, WhatsApp, and third-party apps were not affected. (Here’s how to tell whether your Facebook account was hacked.)

The bad news is Facebook can now confirm that the vast majority of those victims did indeed have their personal information stolen. (All it had said previously was that their accounts were accessed.) And while Facebook still doesn’t know just what the hackers plan to do with that information, the possibilities are many. As for who did it, Facebook said: “We’re cooperating with the FBI, which is actively investigating and asked us not to discuss who may be behind this attack.”

The security update came two weeks after Facebook first disclosed that a series of vulnerabilities allowed hackers to take control of millions of users’ accounts. They did it in part by abusing a feature known as “View As” that was intended to show you what your Facebook profile looks like to other people. The breach is presumed to be the worst in Facebook’s history, although it has not yet provoked the same level of outrage as its Cambridge Analytica scandal earlier this year.

I say “yet” because at the moment, we still don’t know the full impact of the data theft. But we may never know the true scope, because a lot of the impact could take the form of individual identify thefts and spear-phishing attacks that are hard to link directly with the information stolen from people’s Facebook accounts.

First, the numbers. Of the 30 million affected, Facebook said that 1 million did not have any information stolen. That’s reassuring for those relative few. Another 15 million had basic personal information stolen, such as their name and contact information. That’s bad, especially if the contact information included people’s cellphone numbers—and doubly so if they were using those cellphone numbers for two-factor authentication, a key security measure in many online services.

But what’s really bad is that a much richer set of personal data was stolen from 14 million Facebook users. In a blog post, Facebook said that data included the following:

Username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches.

Yikes! That’s the kind of information that could be used to stalk someone, to harass them or their family, to answer the security questions that guard their online accounts, to deceive them by posing as someone they know, or to trick them into clicking a malicious link or disclosing sensitive information. Those are just a handful of the possibilities that leap to mind.

Facebook executive Guy Rosen said in a press call Friday that the company can’t say yet whether the hack victims have been targeted with phishing attacks, but he indicated that Facebook is at least aware that’s a strong possibility. He said that as the company notifies victims, it will also be telling them to watch out for suspicious emails or text messages that might be seeking to capitalize on their stolen data.

When Facebook first announced the breach, some took it as reassuring that users’ passwords hadn’t been stolen. Instead, the hackers used something called digital access tokens to get into their accounts without entering a password. It also comes as something of a relief that Facebook believes credit card info was not exposed in the breach.

But in the long run, stolen passwords or credit card numbers might have been less damaging than what the hackers got. After all, you can change your passwords or get a new credit card. It’s not so easy to change your hometown, cellphone number, religion, friends and family, or search history.

That’s the type of information that could continue to haunt people for years, or even the rest of their lives, in the wrong hands. And while we don’t yet know exactly whose hands that information is in, it’s a safe bet they’re not the hands you’d want pawing through your personal life. Such data can also be sold or even publicly given away in online forums.

There’s still a lot we don’t know about this hack. We can expect more sordid details to trickle out in time. The best hope now for those affected is that whoever stole their information has been cautious with it, or better yet, hasn’t done anything with it yet at all. But that seems unlikely. And the scariest part is that we may never know for sure.